run-as Kerberos authentication support on Linux or UNIX
run-as support with Kerberos authentication on Linux/UNIX enables you to execute any program or command using a different user account other than the currently logged in user (you). The user account is verified using Kerberos authentication mechanism. To use this feature, set the following attributes:
- run-as
- user-name
- krb-authentication
- krb-command
- krb-options
Before you begin
The Command Line adapter uses ksu as the default command to support the run-as feature with Kerberos authentication on Linux or UNIX. ksu is part of Kerberos applications installed with Kerberos V5 (MIT).
If you have a different Kerberos authentication mechanism installed on your system that has its own set of Kerberos applications supported (similar to ksu ), use the krb-command and krb-options attributes in the adapter request. Doing this prevents the Command Line adapter from using ksu, the default command.
Before executing any command or program using run-as with Kerberos authentication, you must acquire the required Kerberos ticket. If the required Kerberos ticket is not available in the cache, the adapter request fails with a timeout error. Currently, the adapter does not support setting the password for acquiring the required Kerberos ticket.
The following table describes the adapter request attributes for the Command Line adapter to support the run-as with Kerberos authentication feature on Linux or UNIX.
Adapter request attributes for the run-as with Kerberos authentication feature in the Command Line adapter for Linux or UNIX
The following figure shows a sample adapter request for the Command Line adapter to support the run-as feature with Kerberos authentication on Linux or UNIX using simple commands.
XML sample of the Command Line adapter request using run-as feature with Kerberos authentication (Linux or UNIX) and simple commands format
<command-request>
<commands>
<command run-as="true" user-name="krbuser1" krb-authentication="true">whoami</command>
<command run-as="true" user-name="krbuser2" krb-authentication="true">whoami</command>
</commands>
</command-request>
The following figure shows a sample adapter response for the Command Line adapter to support the run-as feature with Kerberos authentication on Linux or UNIX using simple commands.
XML sample of the Command Line adapter response using run-as feature with Kerberos authentication for Linux or UNIX and simple commands format
<command-result>
<metadata>
<status>success</status>
</metadata>
<targets-output>
<target-output>
<metadata>
<os-id>Linux</os-id>
<os-version>2.6.18-1.2747.el5</os-version>
<os-arch>i386</os-arch>
<status>success</status>
</metadata>
<commands-output>
<command-output>
<metadata>
<command>whoami</command>
<line-count>5</line-count>
<execution-milliseconds>388</execution-milliseconds>
<exit-code>0</exit-code>
<status>success</status>
</metadata>
<output>
<line index="1">krbuser1</line>
<line index="2">Authenticated newuser@SYNAPSE.COM</line>
<line index="3">Account krbuser1: authorization for newuser@SYNAPSE.COM for execution of</line>
<line index="4">/bin/sh successful</line>
<line index="5">Changing uid to krbuser1 (508)</line>
</output>
</command-output>
<command-output>
<metadata>
<command>whoami</command>
<line-count>5</line-count>
<execution-milliseconds>339</execution-milliseconds>
<exit-code>0</exit-code>
<status>success</status>
</metadata>
<output>
<line index="1">krbuser2</line>
<line index="2">Authenticated newuser@SYNAPSE.COM</line>
<line index="3">Account krbuser2: authorization for newuser@SYNAPSE.COM for execution of</line>
<line index="4">/bin/sh successful</line>
<line index="5">Changing uid to krbuser2 (509)</line>
</output>
</command-output>
</commands-output>
</target-output>
</targets-output>
</command-result>
The following figure shows a sample adapter request for the Command Line adapter to support the run-as feature with Kerberos authentication on Linux or UNIX using a command group.
XML sample of the Command Line adapter request using run-as feature with Kerberos authentication for Linux or UNIX and command group format
<command-request>
<commands>
<command-group>
<command run-as="true" user-name="krbuser1" krb-authentication="true">whoami;pwd
</command>
<command run-as="true" user-name="krbuser2" krb-authentication="true">whoami
</command>
</command-group>
</commands>
</command-request>
The following figure shows a sample adapter response (Linux) for the Command Line adapter to support the run-as feature with Kerberos authentication on Linux or UNIX using a command group.
XML sample of the Command Line adapter response using run-as feature with Kerberos authentication for Linux or UNIX and command group format
<command-result>
<metadata>
<status>success</status>
</metadata>
<targets-output>
<target-output>
<metadata>
<os-id>Linux</os-id>
<os-version>2.6.18-1.2747.el5</os-version>
<os-arch>i386</os-arch>
<status>success</status>
</metadata>
<commands-output>
<command-output>
<metadata>
<command>whoami;pwd</command>
<line-count>6</line-count>
<execution-milliseconds>396</execution-milliseconds>
<exit-code>0</exit-code>
<status>success</status>
</metadata>
<output>
<line index="1">krbuser1</line>
<line index="2">/home/newuser/CDP_750207</line>
<line index="3">Authenticated newuser@SYNAPSE.COM</line>
<line index="4">Account krbuser1: authorization for newuser@SYNAPSE.COM for execution of</line>
<line index="5">/bin/sh successful</line>
<line index="6">Changing uid to krbuser1 (508)</line>
</output>
</command-output>
<command-output>
<metadata>
.....
<command>whoami</command>
<line-count>5</line-count>
<execution-milliseconds>520</execution-milliseconds>
<exit-code>0</exit-code>
<status>success</status>
</metadata>
<output>
<line index="1">krbuser2</line>
<line index="2">Authenticated newuser@SYNAPSE.COM</line>
<line index="3">Account krbuser2: authorization for newuser@SYNAPSE.COM for execution of</line>
<line index="4">/bin/sh successful</line>
<line index="5">Changing uid to krbuser2 (509)</line>
</output>
</command-output>
</commands-output>
</target-output>
</targets-output>
</command-result>
The following figure shows a sample adapter request for the Command Line adapter to support the run-as feature with Kerberos authentication on Linux or UNIX using FAT commands.
XML sample of the Command Line adapter request using run-as feature with Kerberos authentication for Linux or UNIX and FAT command format
<command-request>
<commands>
<fat-command>
<command os-id="Linux"run-as="true" user-name="krbuser1" krb-authentication="true">
whoami</command>
</fat-command>
</commands>
</command-request>
The following figure shows a sample adapter response for the Command Line adapter to support the run-as feature with Kerberos authentication on Linux or UNIX using FAT commands.
XML sample of the Command Line adapter response using run-as feature with Kerberos authentication (Linux or UNIX)and FAT command format
<command-result>
<metadata>
<status>success</status>
</metadata>
<targets-output>
<target-output>
<metadata>
<os-id>Linux</os-id>
<os-version>2.6.18-1.2747.el5</os-version>
<os-arch>i386</os-arch>
<status>success</status>
</metadata>
<commands-output>
<command-output>
<metadata>
<command>whoami</command>
<line-count>5</line-count>
<execution-milliseconds>462</execution-milliseconds>
<exit-code>0</exit-code>
<status>success</status>
</metadata>
<output>
<line index="1">krbuser1</line>
<line index="2">Authenticated newuser@SYNAPSE.COM</line>
<line index="3">Account krbuser1: authorization for newuser@SYNAPSE.COM for execution of
</line>
<line index="4">/bin/sh successful</line>
<line index="5">Changing uid to krbuser1 (508)</line>
</output>
</command-output>
</commands-output>
</target-output>
</targets-output>
</command-result>